{ config, ... }:
let
  inherit (config.networking) hostName;
in
{
  sops.secrets =
    let
      baseDir = ".ssh/ed25519";
      keyConfig = file: {
        sopsFile = ../secrets/keys.yaml;
        owner = config.users.users.jawz.name;
        inherit (config.users.users.jawz) group;
        path = "/home/jawz/${file}";
      };
    in
    {
      jawz-password.neededForUsers = true;
      "private_keys/age" = keyConfig "${baseDir}_age";
      "public_keys/age" = keyConfig "${baseDir}_age.pub";
      "private_keys/${hostName}" = keyConfig "${baseDir}_${hostName}";
      "git_private_keys/${hostName}" = keyConfig "${baseDir}_git";
      "syncthing_keys/${hostName}" = keyConfig ".config/syncthing/key.pem";
      "syncthing_certs/${hostName}" = keyConfig ".config/syncthing/cert.pem";
    };

  home-manager.users.jawz.home.file.".librewolf/.stignore".source = ../dotfiles/stignore;
  services.syncthing = {
    enable = true;
    user = "jawz";
    group = "users";
    overrideDevices = true;
    overrideFolders = true;
    key = config.sops.secrets."syncthing_keys/${hostName}".path;
    cert = config.sops.secrets."syncthing_certs/${hostName}".path;
    settings = {
      devices = {
        server.id = "BG6PF7S-KATABWO-7WAZFMX-6YO7IS3-WQTMR3M-VSOSV7V-HFFMNNH-BFX2EQ4";
        miniserver.id = "HDYEGIR-GFU7ONK-MOOJUFH-N3L3XHX-SXWN3FI-O23K6LD-BJENQK5-VIPV2AT";
        workstation.id = "4E4KJ6M-MSTNBVF-D7CNHDW-DUTB3VR-SXKZ4NH-ZKAOMF5-V24JECJ-4STSZAA";
        galaxy.id = "UAZ5YDV-YUFBXOY-QMS6S6R-WPIIKZI-4OPPW5L-G4OVUPO-YW5KFYY-YASRAAV";
      };
      folders = {
        cache = {
          path = "~/Downloads/cache/";
          ignorePerms = false;
          devices = [ "galaxy" ];
        };
        gdl = {
          path = "~/.config/jawz/";
          ignorePerms = false;
          devices = [
            "server"
            "miniserver"
            "workstation"
          ];
        };
        librewolf = {
          path = "~/.librewolf/";
          ignorePerms = false;
          copyOwnershipFromParent = true;
          type = if config.networking.hostName == "workstation" then "sendonly" else "receiveonly";
          devices = [
            "server"
            "miniserver"
            "workstation"
          ];
        };
        notes = {
          path = "~/Documents/";
          ignorePerms = false;
          devices = [ "galaxy" ];
        };
      };
    };
  };
  users.users.jawz = {
    uid = 1000;
    linger = true;
    isNormalUser = true;
    hashedPasswordFile = config.sops.secrets.jawz-password.path;
    extraGroups = [
      "wheel"
      "networkmanager"
      "scanner"
      "lp"
      "piracy"
      "kavita"
      "video"
      "docker"
      "libvirt"
      "rslsync"
      "plugdev"
      "bluetooth"
    ];
    openssh.authorizedKeys.keyFiles = [
      ../secrets/ssh/ed25519_deacero.pub
      ../secrets/ssh/ed25519_workstation.pub
      ../secrets/ssh/ed25519_server.pub
      ../secrets/ssh/ed25519_miniserver.pub
      ../secrets/ssh/ed25519_galaxy.pub
      ../secrets/ssh/ed25519_phone.pub
    ];
  };
}